Skip to main content

nimiq-primitives CVE-2026-54541

LOW
Uncaught Exception (CWE-248)
2026-07-16 https://github.com/nimiq/core-rs-albatross GHSA-46wq-28cx-mhw4
3.7
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
3.7 LOW

AC:H for probabilistic peer-selection requirement during active sync; A:L for transient self-healing crash only; C and I are N with no data exposure or state corruption.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 16, 2026 - 20:36 vuln.today
Analysis Generated
Jul 16, 2026 - 20:36 vuln.today

DescriptionGitHub Advisory

Impact

A malicious peer acting as a state-sync source can crash a syncing node by sending a crafted TrieChunk whose proof contains two TrieProofNodes with identical keys. TrieProof::verify() calls TrieProofNode::child_index() (primitives/src/trie/trie_proof_node.rs:94), which unconditionally unwraps KeyNibbles::get(self.key.len()). Because is_prefix_of returns true for two equal keys, execution reaches get(len), which returns None, and the unwrap() panics.

The panic is reached from untrusted network input (ResponseChunkcommit_chunksput_chunkproof.verify()) before any cryptographic proof verification, so the attacker does not need to produce a valid proof. Exploitation requires the attacker to be selected as the victim's sync peer while the victim is performing state sync, and the resulting crash is transient (the node restarts and re-syncs).

Affected: core-rs-albatross <= 1.5.1 (nimiq-primitives).

Patches

Fixed in 1.6.0 via https://github.com/nimiq/core-rs-albatross/pull/3789 (commit 41d35ace). child_index now rejects equal-length keys and returns MerkleRadixTrieError::WrongPrefix instead of unwrapping.

Workarounds

None other than syncing only from trusted peers. Upgrade to 1.6.0.

AnalysisAI

Panic-induced denial of service in nimiq-primitives (core-rs-albatross <= 1.5.1) allows a malicious state-sync peer to crash a syncing Nimiq blockchain node by sending a crafted TrieChunk whose proof contains two TrieProofNode entries with identical keys. The panic fires in TrieProof::verify() before any cryptographic proof validation occurs, so no valid proof is required to trigger it. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Operate Nimiq peer node on network
Delivery
Win peer-selection race as victim's sync source
Exploit
Send crafted TrieChunk with two identical-key TrieProofNodes
Execution
Trigger unwrap panic in TrieProof::verify() before crypto check
Persist
Victim node process crashes
Impact
Node auto-restarts and re-syncs

Vulnerability AssessmentAI

Exploitation Exploitation requires two concurrent conditions: (1) the victim Nimiq node must be actively performing state synchronization - this phase occurs when a node is bootstrapping or catching up and is not continuously active on a fully-synced node; and (2) the attacker's node must be selected as the victim's designated sync peer for the current sync session, a probabilistic outcome in the P2P peer-discovery process that the attacker cannot deterministically force without controlling significant routing infrastructure. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.7 (Low) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L accurately represents real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker operates a Nimiq node and either joins the peer network naturally or exploits peer-routing to increase the probability of being selected as a victim node's state-sync peer during an active sync session. Once selected, the attacker sends a single crafted TrieChunk message where the embedded TrieProof contains two TrieProofNode entries sharing an identical key, triggering an unwrap panic in TrieProof::verify() before any cryptographic check is reached. …
Remediation Upgrade core-rs-albatross to version 1.6.0, which is the vendor-released patched version confirmed via the release tag at https://github.com/nimiq/core-rs-albatross/releases/tag/v1.6.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54541 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy